The following PHP code triggers a segmentation fault due to a NULL pointer dereference:
<?php
mb_regex_encoding('iso-8859-11');
$test_str = 'x';
if (mb_ereg_search_init($test_str)) {
$val = mb_ereg_search_pos("x");
var_dump($val);
} else {
var_dump(false);
}The crash occurs due to a mismatch between Oniguruma and mbfl encoding support:
- Oniguruma (the regex library) supports
iso-8859-11 (Thai encoding)
- mbfl (mbstring's internal encoding library) does NOT support
iso-8859-11
|
int php_mb_regex_set_mbctype(const char *encname) |
|
{ |
|
OnigEncoding mbctype = _php_mb_regex_name2mbctype(encname); |
|
if (mbctype == ONIG_ENCODING_UNDEF) { |
|
return FAILURE; |
|
} |
|
MBREX(current_mbctype) = mbctype; |
|
MBREX(current_mbctype_mbfl_encoding) = mbfl_name2encoding(encname); |
|
return SUCCESS; |
|
} |
When mb_regex_encoding('iso-8859-11') is called:
php_mb_regex_set_mbctype() validates the encoding against Oniguruma → succeedsmbfl_name2encoding('iso-8859-11') is called → returns NULLMBREX(current_mbctype_mbfl_encoding) is set to NULL
Later, when mb_ereg_search_init() calls php_mb_check_encoding():
php_mb_regex_get_mbctype_encoding() returns NULLphp_mb_check_encoding() dereferences the NULL pointer → SEGV
This vulnerability allows a denial of service (DoS). An attacker can reliably crash a PHP process when user-controlled input influences the encoding passed to mb_regex_encoding() and the application subsequently uses mbregex search APIs.
Enumeration of all Oniguruma-supported encodings vs mbfl support:
| Encoding / aliases |
Oniguruma |
mbfl |
Status |
| iso-8859-1 … iso-8859-10 |
✓ |
✓ |
Safe |
| iso-8859-11, ISO8859-11 |
✓ |
✗ |
CRASH |
| iso-8859-13 … iso-8859-16 |
✓ |
✓ |
Safe |
| EUC-JP aliases: UJIS |
✓ |
✗ |
CRASH |
| EUC-CN aliases: GB-2312 |
✓ |
✗ |
CRASH |
| KOI8 aliases: KOI-8R |
✓ |
✗ |
CRASH |
| ASCII aliases: US_ASCII, ISO646 |
✓ |
✗ |
CRASH |
| KOI8 (no suffix) |
✓ |
✗ |
Safe (rejected by mb_regex_encoding()) |
| All other encodings |
✓ |
✓ |
Safe |
Credits
Viet Hoang Luu - The University of Melbourne
Amirmohammad Pasdar - The University of Melbourne
Wachiraphan Charoenwet - The University of Melbourne
Shaanan Cohney - The University of Melbourne
Toby Murray - The University of Melbourne
Van-Thuan Pham - The University of Melbourne
The following PHP code triggers a segmentation fault due to a NULL pointer dereference:
The crash occurs due to a mismatch between Oniguruma and mbfl encoding support:
iso-8859-11(Thai encoding)iso-8859-11php-src/ext/mbstring/php_mbregex.c
Lines 404 to 413 in 0d9ff00
When
mb_regex_encoding('iso-8859-11')is called:php_mb_regex_set_mbctype()validates the encoding against Oniguruma → succeedsmbfl_name2encoding('iso-8859-11')is called → returns NULLMBREX(current_mbctype_mbfl_encoding)is set to NULLLater, when
mb_ereg_search_init()callsphp_mb_check_encoding():php_mb_regex_get_mbctype_encoding()returns NULLphp_mb_check_encoding()dereferences theNULLpointer → SEGVThis vulnerability allows a denial of service (DoS). An attacker can reliably crash a PHP process when user-controlled input influences the encoding passed to
mb_regex_encoding()and the application subsequently uses mbregex search APIs.Enumeration of all Oniguruma-supported encodings vs mbfl support:
Credits
Viet Hoang Luu - The University of Melbourne
Amirmohammad Pasdar - The University of Melbourne
Wachiraphan Charoenwet - The University of Melbourne
Shaanan Cohney - The University of Melbourne
Toby Murray - The University of Melbourne
Van-Thuan Pham - The University of Melbourne